ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46

Analysis

max time kernel
119s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe
Size

50KB
MD5

f66bfbe13f22739e5841a7c9726b23c0
SHA1

1d29b0f81830697929dd0fbf3f537927d713eaec
SHA256

ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46
SHA512

99c762beef9e4bed47be04c67576f33090dd251e98c078cfed2dfc2671a42bceac17c2bcef7366c0737593cec5005553c75c320daf5a431df5af03721a8cff2e
SSDEEP

1536:BgWvokChrHzr0hhf6haquqtvOfUYtxZi:BgWDCRT8q5hOcYA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mniojo32.exeGnpiqgpd.exeOlaqqe32.exePajidjld.exeCecmjk32.exeKbaocjcm.exeJemnefij.exeEipkgb32.exeHlinaojl.exeIdlifpao.exePmlpnlfn.exePkpacdkb.exeFglilmaj.exeJeiejfmp.exeOpoigc32.exeIolpgmhe.exeQgejdg32.exeJlejlp32.exeBmmjfoio.exeFkehgl32.exeHbajhi32.exeCoelnf32.exePpaflc32.exeBlmijj32.exeAmdllaei.exeEeihacjk.exeGbamif32.exeKhijje32.exeIefhdg32.exeApaojjae.exeCogdbd32.exeEgniciml.exeEoamjiqk.exeCkfoff32.exeKnpijgqm.exeIgoonk32.exeDeffongj.exeDldpkn32.exeIgakcjjj.exeEhqnmp32.exeDamjek32.exeDlkflmhg.exeJocfhl32.exeGmphecji.exeKmipfc32.exeEqbdqp32.exeKjfjohfa.exeCmofkn32.exeKfmkdi32.exeFpgbmpbd.exeCpkbam32.exeIceobl32.exeJlbmfq32.exeKfhaijpk.exeQcbkmalj.exeEhehhoka.exeFinjqf32.exeFlncba32.exeHkcdnj32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mniojo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnpiqgpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olaqqe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pajidjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cecmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbaocjcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jemnefij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eipkgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlinaojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlinaojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idlifpao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlpnlfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkpacdkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fglilmaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeiejfmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opoigc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iolpgmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgejdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlejlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmmjfoio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkehgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbajhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coelnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppaflc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmijj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amdllaei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeihacjk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbamif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefhdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaojjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogdbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egniciml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoamjiqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckfoff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knpijgqm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igoonk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deffongj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dldpkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igakcjjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehqnmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Damjek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkflmhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iefhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocfhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmphecji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmipfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmmjfoio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqbdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjfjohfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmofkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmkdi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgbmpbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iceobl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbmfq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iolpgmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfhaijpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcbkmalj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehehhoka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Finjqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flncba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkcdnj32.exe

Executes dropped EXE 64 IoCs

Processes:

Olaqqe32.exeOpoigc32.exePpaflc32.exePhmkqeji.exePlkcgd32.exePmlpnlfn.exePajidjld.exePhdaad32.exePmqiik32.exeQigjol32.exeQenkcmma.exeQcbkmalj.exeApflff32.exeAaghnnab.exeAkpmgc32.exeAcgeha32.exeAdhapi32.exeAdjnei32.exeApaojjae.exeAkgcgb32.exeBgmclcgo.exeBnglin32.exeBgppbc32.exeBjnlno32.exeBlmijj32.exeBgbmgc32.exeBqjaphij.exeBopnaenb.exeBfjfno32.exeCkfoff32.exeCmflqi32.exeCbcdip32.exeCgpmaf32.exeCogdbd32.exeCecmjk32.exeCgbiff32.exeCnlacp32.exeCajnol32.exeCkpbmd32.exeCjbbhabf.exeDamjek32.exeDckgag32.exeDnqknpim.exeDpbgfh32.exeDgioge32.exeDjglcq32.exeDmfhpl32.exeDaadpkfn.exeDmjajkjo.exeDeffongj.exeMniojo32.exeMdhdgf32.exeMihjelgc.exePkpacdkb.exeAcppcfdh.exeAnlmicod.exeBmmjfoio.exeBpkfbjhb.exeCmofkn32.exeClbggkng.exeCfhkdcnm.exeCifgpomp.exeCihdfo32.exeClgpbj32.exe

pid	process
916	Olaqqe32.exe
1352	Opoigc32.exe
976	Ppaflc32.exe
1656	Phmkqeji.exe
1664	Plkcgd32.exe
1260	Pmlpnlfn.exe
992	Pajidjld.exe
912	Phdaad32.exe
1384	Pmqiik32.exe
840	Qigjol32.exe
1052	Qenkcmma.exe
980	Qcbkmalj.exe
556	Apflff32.exe
1124	Aaghnnab.exe
1644	Akpmgc32.exe
968	Acgeha32.exe
1984	Adhapi32.exe
1004	Adjnei32.exe
1288	Apaojjae.exe
1816	Akgcgb32.exe
940	Bgmclcgo.exe
928	Bnglin32.exe
1740	Bgppbc32.exe
872	Bjnlno32.exe
1692	Blmijj32.exe
1704	Bgbmgc32.exe
1648	Bqjaphij.exe
1588	Bopnaenb.exe
1712	Bfjfno32.exe
1456	Ckfoff32.exe
276	Cmflqi32.exe
1324	Cbcdip32.exe
1864	Cgpmaf32.exe
592	Cogdbd32.exe
1164	Cecmjk32.exe
792	Cgbiff32.exe
868	Cnlacp32.exe
1332	Cajnol32.exe
1308	Ckpbmd32.exe
1808	Cjbbhabf.exe
1060	Damjek32.exe
864	Dckgag32.exe
1956	Dnqknpim.exe
956	Dpbgfh32.exe
1256	Dgioge32.exe
1568	Djglcq32.exe
1608	Dmfhpl32.exe
1700	Daadpkfn.exe
1116	Dmjajkjo.exe
1620	Deffongj.exe
1612	Mniojo32.exe
1508	Mdhdgf32.exe
304	Mihjelgc.exe
1552	Pkpacdkb.exe
988	Acppcfdh.exe
1128	Anlmicod.exe
524	Bmmjfoio.exe
1800	Bpkfbjhb.exe
1528	Cmofkn32.exe
1672	Clbggkng.exe
688	Cfhkdcnm.exe
1096	Cifgpomp.exe
580	Cihdfo32.exe
1520	Clgpbj32.exe

Loads dropped DLL 64 IoCs

Processes:

ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exeOlaqqe32.exeOpoigc32.exePpaflc32.exePhmkqeji.exePlkcgd32.exePmlpnlfn.exePajidjld.exePhdaad32.exePmqiik32.exeQigjol32.exeQenkcmma.exeQcbkmalj.exeApflff32.exeAaghnnab.exeAkpmgc32.exeAcgeha32.exeAdhapi32.exeAdjnei32.exeApaojjae.exeAkgcgb32.exeBgmclcgo.exeBnglin32.exeBgppbc32.exeBjnlno32.exeBlmijj32.exeBgbmgc32.exeBqjaphij.exeBopnaenb.exeBfjfno32.exeCkfoff32.exeCmflqi32.exe

pid	process
2016	ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe
2016	ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe
916	Olaqqe32.exe
916	Olaqqe32.exe
1352	Opoigc32.exe
1352	Opoigc32.exe
976	Ppaflc32.exe
976	Ppaflc32.exe
1656	Phmkqeji.exe
1656	Phmkqeji.exe
1664	Plkcgd32.exe
1664	Plkcgd32.exe
1260	Pmlpnlfn.exe
1260	Pmlpnlfn.exe
992	Pajidjld.exe
992	Pajidjld.exe
912	Phdaad32.exe
912	Phdaad32.exe
1384	Pmqiik32.exe
1384	Pmqiik32.exe
840	Qigjol32.exe
840	Qigjol32.exe
1052	Qenkcmma.exe
1052	Qenkcmma.exe
980	Qcbkmalj.exe
980	Qcbkmalj.exe
556	Apflff32.exe
556	Apflff32.exe
1124	Aaghnnab.exe
1124	Aaghnnab.exe
1644	Akpmgc32.exe
1644	Akpmgc32.exe
968	Acgeha32.exe
968	Acgeha32.exe
1984	Adhapi32.exe
1984	Adhapi32.exe
1004	Adjnei32.exe
1004	Adjnei32.exe
1288	Apaojjae.exe
1288	Apaojjae.exe
1816	Akgcgb32.exe
1816	Akgcgb32.exe
940	Bgmclcgo.exe
940	Bgmclcgo.exe
928	Bnglin32.exe
928	Bnglin32.exe
1740	Bgppbc32.exe
1740	Bgppbc32.exe
872	Bjnlno32.exe
872	Bjnlno32.exe
1692	Blmijj32.exe
1692	Blmijj32.exe
1704	Bgbmgc32.exe
1704	Bgbmgc32.exe
1648	Bqjaphij.exe
1648	Bqjaphij.exe
1588	Bopnaenb.exe
1588	Bopnaenb.exe
1712	Bfjfno32.exe
1712	Bfjfno32.exe
1456	Ckfoff32.exe
1456	Ckfoff32.exe
276	Cmflqi32.exe
276	Cmflqi32.exe

Drops file in System32 directory 64 IoCs

Processes:

Ehckbomd.exeHooqnicg.exeDldpkn32.exeDjglcq32.exeBmmjfoio.exeFcggmjqm.exeCajnol32.exeFcejhjbp.exeDeffongj.exeCifgpomp.exeCogdbd32.exeDaadpkfn.exeDlkflmhg.exeHammjdbk.exeKhijje32.exeAimiga32.exeEoamjiqk.exeGofbdk32.exeMdhdgf32.exeDnobja32.exeGmphecji.exeJlbmfq32.exeJocfhl32.exeKoeomobf.exeBgbmgc32.exeCbcdip32.exeGlqlgdha.exeIgjebkqb.exeImfjeefm.exeJgokmnoh.exeKocbgodi.exeLippkdgd.exeAcppcfdh.exeCknjif32.exeHhpofppp.exeIdnelp32.exeKghncm32.exeLnklnkgn.exeQgejdg32.exeGkhjnmik.exeCnlacp32.exeAnlmicod.exeKbdkijaj.exeEdnebpob.exePlkcgd32.exeAdhapi32.exeEhgplmjf.exeCfhkdcnm.exeDmfhpl32.exePkpacdkb.exeGafjkbfg.exeIefhdg32.exeKbaocjcm.exePajidjld.exeQcbkmalj.exeGpndanim.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Eakpke32.exe	Ehckbomd.exe
File created	C:\Windows\SysWOW64\Hammjdbk.exe	Hooqnicg.exe
File opened for modification	C:\Windows\SysWOW64\Hammjdbk.exe	Hooqnicg.exe
File created	C:\Windows\SysWOW64\Gcnlip32.dll	Dldpkn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmfhpl32.exe	Djglcq32.exe
File opened for modification	C:\Windows\SysWOW64\Bpkfbjhb.exe	Bmmjfoio.exe
File created	C:\Windows\SysWOW64\Okmmeghl.dll	Fcggmjqm.exe
File created	C:\Windows\SysWOW64\Ckpbmd32.exe	Cajnol32.exe
File created	C:\Windows\SysWOW64\Ijglcdnm.dll	Fcejhjbp.exe
File opened for modification	C:\Windows\SysWOW64\Mniojo32.exe	Deffongj.exe
File created	C:\Windows\SysWOW64\Hpgkib32.dll	Cifgpomp.exe
File opened for modification	C:\Windows\SysWOW64\Cecmjk32.exe	Cogdbd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjajkjo.exe	Daadpkfn.exe
File created	C:\Windows\SysWOW64\Olghdome.dll	Dlkflmhg.exe
File created	C:\Windows\SysWOW64\Fhcfbbdb.dll	Hammjdbk.exe
File created	C:\Windows\SysWOW64\Ioefqgdn.dll	Khijje32.exe
File created	C:\Windows\SysWOW64\Lpjbgdde.dll	Aimiga32.exe
File created	C:\Windows\SysWOW64\Agjfkcod.dll	Eoamjiqk.exe
File created	C:\Windows\SysWOW64\Cfbojain.dll	Gofbdk32.exe
File created	C:\Windows\SysWOW64\Mihjelgc.exe	Mdhdgf32.exe
File created	C:\Windows\SysWOW64\Pmmmnm32.dll	Mdhdgf32.exe
File created	C:\Windows\SysWOW64\Jlkhnahf.dll	Djglcq32.exe
File opened for modification	C:\Windows\SysWOW64\Dldpkn32.exe	Dnobja32.exe
File opened for modification	C:\Windows\SysWOW64\Gpndanim.exe	Gmphecji.exe
File created	C:\Windows\SysWOW64\Jcmeckli.exe	Jlbmfq32.exe
File created	C:\Windows\SysWOW64\Jemnefij.exe	Jocfhl32.exe
File created	C:\Windows\SysWOW64\Pkcpoj32.dll	Koeomobf.exe
File opened for modification	C:\Windows\SysWOW64\Bqjaphij.exe	Bgbmgc32.exe
File created	C:\Windows\SysWOW64\Ikiode32.dll	Cbcdip32.exe
File opened for modification	C:\Windows\SysWOW64\Gfiqpj32.exe	Glqlgdha.exe
File created	C:\Windows\SysWOW64\Ioamciad.exe	Igjebkqb.exe
File created	C:\Windows\SysWOW64\Iabfed32.exe	Imfjeefm.exe
File created	C:\Windows\SysWOW64\Kmpmpd32.exe	Jgokmnoh.exe
File opened for modification	C:\Windows\SysWOW64\Kbaocjcm.exe	Kocbgodi.exe
File created	C:\Windows\SysWOW64\Qgejdg32.exe	Lippkdgd.exe
File created	C:\Windows\SysWOW64\Ngifjl32.dll	Acppcfdh.exe
File created	C:\Windows\SysWOW64\Apmdff32.dll	Cknjif32.exe
File opened for modification	C:\Windows\SysWOW64\Hedopdoi.exe	Hhpofppp.exe
File opened for modification	C:\Windows\SysWOW64\Iglbhk32.exe	Idnelp32.exe
File opened for modification	C:\Windows\SysWOW64\Kfknninh.exe	Kghncm32.exe
File created	C:\Windows\SysWOW64\Klcgdfje.dll	Lnklnkgn.exe
File opened for modification	C:\Windows\SysWOW64\Amdllaei.exe	Qgejdg32.exe
File opened for modification	C:\Windows\SysWOW64\Ghljhagd.exe	Gkhjnmik.exe
File created	C:\Windows\SysWOW64\Cajnol32.exe	Cnlacp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmmjfoio.exe	Anlmicod.exe
File created	C:\Windows\SysWOW64\Alhmlh32.dll	Kbdkijaj.exe
File created	C:\Windows\SysWOW64\Gcmejloq.dll	Ednebpob.exe
File opened for modification	C:\Windows\SysWOW64\Pmlpnlfn.exe	Plkcgd32.exe
File created	C:\Windows\SysWOW64\Adjnei32.exe	Adhapi32.exe
File opened for modification	C:\Windows\SysWOW64\Eqbdqp32.exe	Ehgplmjf.exe
File created	C:\Windows\SysWOW64\Hedopdoi.exe	Hhpofppp.exe
File opened for modification	C:\Windows\SysWOW64\Ggagin32.exe	Gofbdk32.exe
File created	C:\Windows\SysWOW64\Cgpmaf32.exe	Cbcdip32.exe
File created	C:\Windows\SysWOW64\Lohmalba.dll	Cfhkdcnm.exe
File created	C:\Windows\SysWOW64\Daadpkfn.exe	Dmfhpl32.exe
File created	C:\Windows\SysWOW64\Acppcfdh.exe	Pkpacdkb.exe
File created	C:\Windows\SysWOW64\Gebfka32.exe	Gafjkbfg.exe
File created	C:\Windows\SysWOW64\Jpllap32.exe	Iefhdg32.exe
File created	C:\Windows\SysWOW64\Kfmkdi32.exe	Kbaocjcm.exe
File created	C:\Windows\SysWOW64\Gijgdi32.dll	Pajidjld.exe
File created	C:\Windows\SysWOW64\Apflff32.exe	Qcbkmalj.exe
File created	C:\Windows\SysWOW64\Gppqgn32.exe	Gpndanim.exe
File created	C:\Windows\SysWOW64\Eakpke32.exe	Ehckbomd.exe
File opened for modification	C:\Windows\SysWOW64\Epciba32.exe	Eoamjiqk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2996 2988 WerFault.exe Hoaeho32.exe

pid	pid_target	process	target process
2996	2988	WerFault.exe	Hoaeho32.exe

Modifies registry class 64 IoCs

Processes:

Cmflqi32.exeDmjajkjo.exeFqgnlocl.exeGhljhagd.exeQenkcmma.exeGgagin32.exeDamjek32.exeDgioge32.exeMihjelgc.exeCdbefm32.exeIapipdph.exePhdaad32.exeBopnaenb.exeJeiejfmp.exeGjbpkiin.exeJapfog32.exeClbggkng.exeClgpbj32.exeDdkhmk32.exeIgjebkqb.exeIefhdg32.exeEakpke32.exeGpjkbc32.exeGnpiqgpd.exePkpacdkb.exeFcggmjqm.exeIabfed32.exeJdnbkc32.exeLnklnkgn.exeEhqnmp32.exeEkhmoj32.exeApflff32.exeDnqknpim.exeCmofkn32.exeIglbhk32.exeKfhaijpk.exeFeidqf32.exeHooqnicg.exeGfiqpj32.exeKmpmpd32.exePpaflc32.exeDmfhpl32.exeDnobja32.exeDafaodia.exeJemnefij.exeBgmclcgo.exeEhbfannl.exeKocbgodi.exeCebfba32.exeIceobl32.exeQcbkmalj.exeCecmjk32.exeDjkmjbkf.exeHkahhkma.exeEeihacjk.exeGnkoeh32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmflqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqcdjq32.dll"	Dmjajkjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqgnlocl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghljhagd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgdokk32.dll"	Qenkcmma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggagin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Damjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgioge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjplpnh.dll"	Mihjelgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdbefm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapipdph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phdaad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bopnaenb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jeiejfmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjbpkiin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Japfog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clbggkng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddkhmk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igjebkqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fecbko32.dll"	Iefhdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eakpke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpjkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnpiqgpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bopnaenb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkpacdkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcggmjqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmonmpi.dll"	Iabfed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omblod32.dll"	Jdnbkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcgdfje.dll"	Lnklnkgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqqnhk32.dll"	Ehqnmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekhmoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egaalk32.dll"	Apflff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnqknpim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmofkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iglbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifchdph.dll"	Kfhaijpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feidqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmflqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hooqnicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfiqpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmpmpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppaflc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmfhpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnobja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dafaodia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdedci32.dll"	Jemnefij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdakgcb.dll"	Bgmclcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehbfannl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdnbkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaapf32.dll"	Kocbgodi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cebfba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igjebkqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabjqa32.dll"	Iceobl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cebfba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcbkmalj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldbgjgp.dll"	Cecmjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmhjbcbf.dll"	Clgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djkmjbkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkahhkma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eeihacjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnkoeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmiio32.dll"	Qcbkmalj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apflff32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2016 wrote to memory of 916	2016	ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe	Olaqqe32.exe
PID 2016 wrote to memory of 916	2016	ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe	Olaqqe32.exe
PID 2016 wrote to memory of 916	2016	ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe	Olaqqe32.exe
PID 2016 wrote to memory of 916	2016	ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe	Olaqqe32.exe
PID 916 wrote to memory of 1352	916	Olaqqe32.exe	Opoigc32.exe
PID 916 wrote to memory of 1352	916	Olaqqe32.exe	Opoigc32.exe
PID 916 wrote to memory of 1352	916	Olaqqe32.exe	Opoigc32.exe
PID 916 wrote to memory of 1352	916	Olaqqe32.exe	Opoigc32.exe
PID 1352 wrote to memory of 976	1352	Opoigc32.exe	Ppaflc32.exe
PID 1352 wrote to memory of 976	1352	Opoigc32.exe	Ppaflc32.exe
PID 1352 wrote to memory of 976	1352	Opoigc32.exe	Ppaflc32.exe
PID 1352 wrote to memory of 976	1352	Opoigc32.exe	Ppaflc32.exe
PID 976 wrote to memory of 1656	976	Ppaflc32.exe	Phmkqeji.exe
PID 976 wrote to memory of 1656	976	Ppaflc32.exe	Phmkqeji.exe
PID 976 wrote to memory of 1656	976	Ppaflc32.exe	Phmkqeji.exe
PID 976 wrote to memory of 1656	976	Ppaflc32.exe	Phmkqeji.exe
PID 1656 wrote to memory of 1664	1656	Phmkqeji.exe	Plkcgd32.exe
PID 1656 wrote to memory of 1664	1656	Phmkqeji.exe	Plkcgd32.exe
PID 1656 wrote to memory of 1664	1656	Phmkqeji.exe	Plkcgd32.exe
PID 1656 wrote to memory of 1664	1656	Phmkqeji.exe	Plkcgd32.exe
PID 1664 wrote to memory of 1260	1664	Plkcgd32.exe	Pmlpnlfn.exe
PID 1664 wrote to memory of 1260	1664	Plkcgd32.exe	Pmlpnlfn.exe
PID 1664 wrote to memory of 1260	1664	Plkcgd32.exe	Pmlpnlfn.exe
PID 1664 wrote to memory of 1260	1664	Plkcgd32.exe	Pmlpnlfn.exe
PID 1260 wrote to memory of 992	1260	Pmlpnlfn.exe	Pajidjld.exe
PID 1260 wrote to memory of 992	1260	Pmlpnlfn.exe	Pajidjld.exe
PID 1260 wrote to memory of 992	1260	Pmlpnlfn.exe	Pajidjld.exe
PID 1260 wrote to memory of 992	1260	Pmlpnlfn.exe	Pajidjld.exe
PID 992 wrote to memory of 912	992	Pajidjld.exe	Phdaad32.exe
PID 992 wrote to memory of 912	992	Pajidjld.exe	Phdaad32.exe
PID 992 wrote to memory of 912	992	Pajidjld.exe	Phdaad32.exe
PID 992 wrote to memory of 912	992	Pajidjld.exe	Phdaad32.exe
PID 912 wrote to memory of 1384	912	Phdaad32.exe	Pmqiik32.exe
PID 912 wrote to memory of 1384	912	Phdaad32.exe	Pmqiik32.exe
PID 912 wrote to memory of 1384	912	Phdaad32.exe	Pmqiik32.exe
PID 912 wrote to memory of 1384	912	Phdaad32.exe	Pmqiik32.exe
PID 1384 wrote to memory of 840	1384	Pmqiik32.exe	Qigjol32.exe
PID 1384 wrote to memory of 840	1384	Pmqiik32.exe	Qigjol32.exe
PID 1384 wrote to memory of 840	1384	Pmqiik32.exe	Qigjol32.exe
PID 1384 wrote to memory of 840	1384	Pmqiik32.exe	Qigjol32.exe
PID 840 wrote to memory of 1052	840	Qigjol32.exe	Qenkcmma.exe
PID 840 wrote to memory of 1052	840	Qigjol32.exe	Qenkcmma.exe
PID 840 wrote to memory of 1052	840	Qigjol32.exe	Qenkcmma.exe
PID 840 wrote to memory of 1052	840	Qigjol32.exe	Qenkcmma.exe
PID 1052 wrote to memory of 980	1052	Qenkcmma.exe	Qcbkmalj.exe
PID 1052 wrote to memory of 980	1052	Qenkcmma.exe	Qcbkmalj.exe
PID 1052 wrote to memory of 980	1052	Qenkcmma.exe	Qcbkmalj.exe
PID 1052 wrote to memory of 980	1052	Qenkcmma.exe	Qcbkmalj.exe
PID 980 wrote to memory of 556	980	Qcbkmalj.exe	Apflff32.exe
PID 980 wrote to memory of 556	980	Qcbkmalj.exe	Apflff32.exe
PID 980 wrote to memory of 556	980	Qcbkmalj.exe	Apflff32.exe
PID 980 wrote to memory of 556	980	Qcbkmalj.exe	Apflff32.exe
PID 556 wrote to memory of 1124	556	Apflff32.exe	Aaghnnab.exe
PID 556 wrote to memory of 1124	556	Apflff32.exe	Aaghnnab.exe
PID 556 wrote to memory of 1124	556	Apflff32.exe	Aaghnnab.exe
PID 556 wrote to memory of 1124	556	Apflff32.exe	Aaghnnab.exe
PID 1124 wrote to memory of 1644	1124	Aaghnnab.exe	Akpmgc32.exe
PID 1124 wrote to memory of 1644	1124	Aaghnnab.exe	Akpmgc32.exe
PID 1124 wrote to memory of 1644	1124	Aaghnnab.exe	Akpmgc32.exe
PID 1124 wrote to memory of 1644	1124	Aaghnnab.exe	Akpmgc32.exe
PID 1644 wrote to memory of 968	1644	Akpmgc32.exe	Acgeha32.exe
PID 1644 wrote to memory of 968	1644	Akpmgc32.exe	Acgeha32.exe
PID 1644 wrote to memory of 968	1644	Akpmgc32.exe	Acgeha32.exe
PID 1644 wrote to memory of 968	1644	Akpmgc32.exe	Acgeha32.exe

C:\Users\Admin\AppData\Local\Temp\ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe
"C:\Users\Admin\AppData\Local\Temp\ebb896d299a7f5a554ebe01628252380a6cc4aa57d8fbb8708b3afd46fe5ef46.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\Olaqqe32.exe
  C:\Windows\system32\Olaqqe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\Opoigc32.exe
    C:\Windows\system32\Opoigc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\SysWOW64\Ppaflc32.exe
      C:\Windows\system32\Ppaflc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\SysWOW64\Phmkqeji.exe
        
        C:\Windows\system32\Phmkqeji.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\Plkcgd32.exe
        
        C:\Windows\system32\Plkcgd32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Pmlpnlfn.exe
        
        C:\Windows\system32\Pmlpnlfn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Pajidjld.exe
        
        C:\Windows\system32\Pajidjld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Phdaad32.exe
        
        C:\Windows\system32\Phdaad32.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Pmqiik32.exe
        
        C:\Windows\system32\Pmqiik32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Qigjol32.exe
        
        C:\Windows\system32\Qigjol32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Qenkcmma.exe
        
        C:\Windows\system32\Qenkcmma.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Qcbkmalj.exe
        
        C:\Windows\system32\Qcbkmalj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Apflff32.exe
        
        C:\Windows\system32\Apflff32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Aaghnnab.exe
        
        C:\Windows\system32\Aaghnnab.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Akpmgc32.exe
        
        C:\Windows\system32\Akpmgc32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Acgeha32.exe
        
        C:\Windows\system32\Acgeha32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:968
        
        C:\Windows\SysWOW64\Adhapi32.exe
        
        C:\Windows\system32\Adhapi32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Adjnei32.exe
        
        C:\Windows\system32\Adjnei32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1004
        
        C:\Windows\SysWOW64\Apaojjae.exe
        
        C:\Windows\system32\Apaojjae.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1288
        
        C:\Windows\SysWOW64\Akgcgb32.exe
        
        C:\Windows\system32\Akgcgb32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1816
        
        C:\Windows\SysWOW64\Bgmclcgo.exe
        
        C:\Windows\system32\Bgmclcgo.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Bnglin32.exe
        
        C:\Windows\system32\Bnglin32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:928
        
        C:\Windows\SysWOW64\Bgppbc32.exe
        
        C:\Windows\system32\Bgppbc32.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1740
        
        C:\Windows\SysWOW64\Bjnlno32.exe
        
        C:\Windows\system32\Bjnlno32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:872
        
        C:\Windows\SysWOW64\Blmijj32.exe
        
        C:\Windows\system32\Blmijj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1692
        
        C:\Windows\SysWOW64\Bgbmgc32.exe
        
        C:\Windows\system32\Bgbmgc32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Bqjaphij.exe
        
        C:\Windows\system32\Bqjaphij.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Windows\SysWOW64\Bopnaenb.exe
        
        C:\Windows\system32\Bopnaenb.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Bfjfno32.exe
        
        C:\Windows\system32\Bfjfno32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1712
        
        C:\Windows\SysWOW64\Ckfoff32.exe
        
        C:\Windows\system32\Ckfoff32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1456
        
        C:\Windows\SysWOW64\Cmflqi32.exe
        
        C:\Windows\system32\Cmflqi32.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:276
        
        C:\Windows\SysWOW64\Cbcdip32.exe
        
        C:\Windows\system32\Cbcdip32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\Cgpmaf32.exe
        
        C:\Windows\system32\Cgpmaf32.exe
        34⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Cogdbd32.exe
        
        C:\Windows\system32\Cogdbd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:592
        
        C:\Windows\SysWOW64\Cecmjk32.exe
        
        C:\Windows\system32\Cecmjk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Cgbiff32.exe
        
        C:\Windows\system32\Cgbiff32.exe
        37⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\Cnlacp32.exe
        
        C:\Windows\system32\Cnlacp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Cajnol32.exe
        
        C:\Windows\system32\Cajnol32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ckpbmd32.exe
        
        C:\Windows\system32\Ckpbmd32.exe
        40⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\Cjbbhabf.exe
        
        C:\Windows\system32\Cjbbhabf.exe
        41⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Damjek32.exe
        
        C:\Windows\system32\Damjek32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Dckgag32.exe
        
        C:\Windows\system32\Dckgag32.exe
        43⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Dnqknpim.exe
        
        C:\Windows\system32\Dnqknpim.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Dpbgfh32.exe
        
        C:\Windows\system32\Dpbgfh32.exe
        45⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\Dgioge32.exe
        
        C:\Windows\system32\Dgioge32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Djglcq32.exe
        
        C:\Windows\system32\Djglcq32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Dmfhpl32.exe
        
        C:\Windows\system32\Dmfhpl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Daadpkfn.exe
        
        C:\Windows\system32\Daadpkfn.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Dmjajkjo.exe
        
        C:\Windows\system32\Dmjajkjo.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Deffongj.exe
        
        C:\Windows\system32\Deffongj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Mniojo32.exe
        
        C:\Windows\system32\Mniojo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Mdhdgf32.exe
        
        C:\Windows\system32\Mdhdgf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Mihjelgc.exe
        
        C:\Windows\system32\Mihjelgc.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\Pkpacdkb.exe
        
        C:\Windows\system32\Pkpacdkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Acppcfdh.exe
        
        C:\Windows\system32\Acppcfdh.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Anlmicod.exe
        
        C:\Windows\system32\Anlmicod.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Bmmjfoio.exe
        
        C:\Windows\system32\Bmmjfoio.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\Bpkfbjhb.exe
        
        C:\Windows\system32\Bpkfbjhb.exe
        59⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\Cmofkn32.exe
        
        C:\Windows\system32\Cmofkn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Clbggkng.exe
        
        C:\Windows\system32\Clbggkng.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Cfhkdcnm.exe
        
        C:\Windows\system32\Cfhkdcnm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Cifgpomp.exe
        
        C:\Windows\system32\Cifgpomp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Cihdfo32.exe
        
        C:\Windows\system32\Cihdfo32.exe
        64⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\Clgpbj32.exe
        
        C:\Windows\system32\Clgpbj32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Coelnf32.exe
        
        C:\Windows\system32\Coelnf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1048
        
        C:\Windows\SysWOW64\Cdbefm32.exe
        
        C:\Windows\system32\Cdbefm32.exe
        67⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Climgj32.exe
        
        C:\Windows\system32\Climgj32.exe
        68⤵
        
        PID:844
        
        C:\Windows\SysWOW64\Cknjif32.exe
        
        C:\Windows\system32\Cknjif32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Cpkbam32.exe
        
        C:\Windows\system32\Cpkbam32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:768
        
        C:\Windows\SysWOW64\Dnobja32.exe
        
        C:\Windows\system32\Dnobja32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Dldpkn32.exe
        
        C:\Windows\system32\Dldpkn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ddkhmk32.exe
        
        C:\Windows\system32\Ddkhmk32.exe
        73⤵
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Dpbhalef.exe
        
        C:\Windows\system32\Dpbhalef.exe
        74⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\Djkmjbkf.exe
        
        C:\Windows\system32\Djkmjbkf.exe
        75⤵
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\Dafaodia.exe
        
        C:\Windows\system32\Dafaodia.exe
        76⤵
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dhpjkn32.exe
        
        C:\Windows\system32\Dhpjkn32.exe
        77⤵
        
        PID:840
        
        C:\Windows\SysWOW64\Dlkflmhg.exe
        
        C:\Windows\system32\Dlkflmhg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\Ehbfannl.exe
        
        C:\Windows\system32\Ehbfannl.exe
        79⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Ekcocikm.exe
        
        C:\Windows\system32\Ekcocikm.exe
        80⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Enalodjp.exe
        
        C:\Windows\system32\Enalodjp.exe
        81⤵
        
        PID:772
        
        C:\Windows\SysWOW64\Ehgplmjf.exe
        
        C:\Windows\system32\Ehgplmjf.exe
        82⤵
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Eqbdqp32.exe
        
        C:\Windows\system32\Eqbdqp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1832
        
        C:\Windows\SysWOW64\Edpmgnnh.exe
        
        C:\Windows\system32\Edpmgnnh.exe
        84⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Egniciml.exe
        
        C:\Windows\system32\Egniciml.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1964
        
        C:\Windows\SysWOW64\Fqgnlocl.exe
        
        C:\Windows\system32\Fqgnlocl.exe
        86⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Fcejhjbp.exe
        
        C:\Windows\system32\Fcejhjbp.exe
        87⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Fcggmjqm.exe
        
        C:\Windows\system32\Fcggmjqm.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Fmpkfpgn.exe
        
        C:\Windows\system32\Fmpkfpgn.exe
        89⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\Fonhbkfa.exe
        
        C:\Windows\system32\Fonhbkfa.exe
        90⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Fkehgl32.exe
        
        C:\Windows\system32\Fkehgl32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1640
        
        C:\Windows\SysWOW64\Fpqdhkdo.exe
        
        C:\Windows\system32\Fpqdhkdo.exe
        92⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Fglilmaj.exe
        
        C:\Windows\system32\Fglilmaj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:268
        
        C:\Windows\SysWOW64\Gbamif32.exe
        
        C:\Windows\system32\Gbamif32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1920
        
        C:\Windows\SysWOW64\Gepjfa32.exe
        
        C:\Windows\system32\Gepjfa32.exe
        95⤵
        
        PID:428
        
        C:\Windows\SysWOW64\Gafjkbfg.exe
        
        C:\Windows\system32\Gafjkbfg.exe
        96⤵
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Gebfka32.exe
        
        C:\Windows\system32\Gebfka32.exe
        97⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\Gjooch32.exe
        
        C:\Windows\system32\Gjooch32.exe
        98⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\Gmmkpcll.exe
        
        C:\Windows\system32\Gmmkpcll.exe
        99⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\Gnmgjf32.exe
        
        C:\Windows\system32\Gnmgjf32.exe
        100⤵
        
        PID:804
        
        C:\Windows\SysWOW64\Gmphecji.exe
        
        C:\Windows\system32\Gmphecji.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Gpndanim.exe
        
        C:\Windows\system32\Gpndanim.exe
        102⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\Gppqgn32.exe
        
        C:\Windows\system32\Gppqgn32.exe
        103⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Gbomci32.exe
        
        C:\Windows\system32\Gbomci32.exe
        104⤵
        
        PID:816
        
        C:\Windows\SysWOW64\Hbajhi32.exe
        
        C:\Windows\system32\Hbajhi32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:892
        
        C:\Windows\SysWOW64\Hepfdd32.exe
        
        C:\Windows\system32\Hepfdd32.exe
        106⤵
        
        PID:960
        
        C:\Windows\SysWOW64\Hlinaojl.exe
        
        C:\Windows\system32\Hlinaojl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:980
        
        C:\Windows\SysWOW64\Hfobog32.exe
        
        C:\Windows\system32\Hfobog32.exe
        108⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Hhpofppp.exe
        
        C:\Windows\system32\Hhpofppp.exe
        109⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Hedopdoi.exe
        
        C:\Windows\system32\Hedopdoi.exe
        110⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Hipkpb32.exe
        
        C:\Windows\system32\Hipkpb32.exe
        111⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Hkahhkma.exe
        
        C:\Windows\system32\Hkahhkma.exe
        112⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Hbhpih32.exe
        
        C:\Windows\system32\Hbhpih32.exe
        113⤵
        
        PID:928
        
        C:\Windows\SysWOW64\Heflec32.exe
        
        C:\Windows\system32\Heflec32.exe
        114⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Hhehao32.exe
        
        C:\Windows\system32\Hhehao32.exe
        115⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Hkcdnj32.exe
        
        C:\Windows\system32\Hkcdnj32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1524
        
        C:\Windows\SysWOW64\Hooqnicg.exe
        
        C:\Windows\system32\Hooqnicg.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Hammjdbk.exe
        
        C:\Windows\system32\Hammjdbk.exe
        118⤵
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Idlifpao.exe
        
        C:\Windows\system32\Idlifpao.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1512
        
        C:\Windows\SysWOW64\Igjebkqb.exe
        
        C:\Windows\system32\Igjebkqb.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ioamciad.exe
        
        C:\Windows\system32\Ioamciad.exe
        121⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Iapipdph.exe
        
        C:\Windows\system32\Iapipdph.exe
        122⤵
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Idnelp32.exe
        
        C:\Windows\system32\Idnelp32.exe
        123⤵
        Drops file in System32 directory
        
        PID:1872
        
        C:\Windows\SysWOW64\Iglbhk32.exe
        
        C:\Windows\system32\Iglbhk32.exe
        124⤵
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Ikhnijgi.exe
        
        C:\Windows\system32\Ikhnijgi.exe
        125⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Imfjeefm.exe
        
        C:\Windows\system32\Imfjeefm.exe
        126⤵
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Iabfed32.exe
        
        C:\Windows\system32\Iabfed32.exe
        127⤵
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Ipefaqep.exe
        
        C:\Windows\system32\Ipefaqep.exe
        128⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\Iccbmldd.exe
        
        C:\Windows\system32\Iccbmldd.exe
        129⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\Igoonk32.exe
        
        C:\Windows\system32\Igoonk32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Ikjknief.exe
        
        C:\Windows\system32\Ikjknief.exe
        131⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Imigjedj.exe
        
        C:\Windows\system32\Imigjedj.exe
        132⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Ipgcfpcn.exe
        
        C:\Windows\system32\Ipgcfpcn.exe
        133⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Iceobl32.exe
        
        C:\Windows\system32\Iceobl32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Igakcjjj.exe
        
        C:\Windows\system32\Igakcjjj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2096
        
        C:\Windows\SysWOW64\Imkcpd32.exe
        
        C:\Windows\system32\Imkcpd32.exe
        136⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Ipiplp32.exe
        
        C:\Windows\system32\Ipiplp32.exe
        137⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\Iolpgmhe.exe
        
        C:\Windows\system32\Iolpgmhe.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2120
        
        C:\Windows\SysWOW64\Iefhdg32.exe
        
        C:\Windows\system32\Iefhdg32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Jpllap32.exe
        
        C:\Windows\system32\Jpllap32.exe
        140⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Jcjink32.exe
        
        C:\Windows\system32\Jcjink32.exe
        141⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Jeiejfmp.exe
        
        C:\Windows\system32\Jeiejfmp.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Jidaje32.exe
        
        C:\Windows\system32\Jidaje32.exe
        143⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Jhgafblc.exe
        
        C:\Windows\system32\Jhgafblc.exe
        144⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Jlbmfq32.exe
        
        C:\Windows\system32\Jlbmfq32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\Jcmeckli.exe
        
        C:\Windows\system32\Jcmeckli.exe
        146⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\Japfog32.exe
        
        C:\Windows\system32\Japfog32.exe
        147⤵
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Jdnbkc32.exe
        
        C:\Windows\system32\Jdnbkc32.exe
        148⤵
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Jlejlp32.exe
        
        C:\Windows\system32\Jlejlp32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2208
        
        C:\Windows\SysWOW64\Jocfhl32.exe
        
        C:\Windows\system32\Jocfhl32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Jemnefij.exe
        
        C:\Windows\system32\Jemnefij.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Jgokmnoh.exe
        
        C:\Windows\system32\Jgokmnoh.exe
        152⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Kmpmpd32.exe
        
        C:\Windows\system32\Kmpmpd32.exe
        153⤵
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Kfhaijpk.exe
        
        C:\Windows\system32\Kfhaijpk.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Knpijgqm.exe
        
        C:\Windows\system32\Knpijgqm.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2256
        
        C:\Windows\SysWOW64\Kqnefbpa.exe
        
        C:\Windows\system32\Kqnefbpa.exe
        156⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\Koafao32.exe
        
        C:\Windows\system32\Koafao32.exe
        157⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\Kghncm32.exe
        
        C:\Windows\system32\Kghncm32.exe
        158⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Kfknninh.exe
        
        C:\Windows\system32\Kfknninh.exe
        159⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Kjfjohfa.exe
        
        C:\Windows\system32\Kjfjohfa.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2296
        
        C:\Windows\SysWOW64\Khijje32.exe
        
        C:\Windows\system32\Khijje32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Kocbgodi.exe
        
        C:\Windows\system32\Kocbgodi.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Kbaocjcm.exe
        
        C:\Windows\system32\Kbaocjcm.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Kfmkdi32.exe
        
        C:\Windows\system32\Kfmkdi32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2328
        
        C:\Windows\SysWOW64\Kmgcqccb.exe
        
        C:\Windows\system32\Kmgcqccb.exe
        165⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Koeomobf.exe
        
        C:\Windows\system32\Koeomobf.exe
        166⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Kbdkijaj.exe
        
        C:\Windows\system32\Kbdkijaj.exe
        167⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kdbgeeqn.exe
        
        C:\Windows\system32\Kdbgeeqn.exe
        168⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Kmipfc32.exe
        
        C:\Windows\system32\Kmipfc32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2368
        
        C:\Windows\SysWOW64\Lnklnkgn.exe
        
        C:\Windows\system32\Lnklnkgn.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Lfbdohhq.exe
        
        C:\Windows\system32\Lfbdohhq.exe
        171⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Lippkdgd.exe
        
        C:\Windows\system32\Lippkdgd.exe
        172⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Qgejdg32.exe
        
        C:\Windows\system32\Qgejdg32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\Amdllaei.exe
        
        C:\Windows\system32\Amdllaei.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2656
        
        C:\Windows\SysWOW64\Accqjgan.exe
        
        C:\Windows\system32\Accqjgan.exe
        175⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Aimiga32.exe
        
        C:\Windows\system32\Aimiga32.exe
        176⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Aedjlb32.exe
        
        C:\Windows\system32\Aedjlb32.exe
        177⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\Cbopkfbi.exe
        
        C:\Windows\system32\Cbopkfbi.exe
        178⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Cebfba32.exe
        
        C:\Windows\system32\Cebfba32.exe
        179⤵
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Efobegih.exe
        
        C:\Windows\system32\Efobegih.exe
        180⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Ehqnmp32.exe
        
        C:\Windows\system32\Ehqnmp32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Ephfnm32.exe
        
        C:\Windows\system32\Ephfnm32.exe
        182⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Eaicfefg.exe
        
        C:\Windows\system32\Eaicfefg.exe
        183⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Eipkgb32.exe
        
        C:\Windows\system32\Eipkgb32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2736
        
        C:\Windows\SysWOW64\Ehckbomd.exe
        
        C:\Windows\system32\Ehckbomd.exe
        185⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Eakpke32.exe
        
        C:\Windows\system32\Eakpke32.exe
        186⤵
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ehehhoka.exe
        
        C:\Windows\system32\Ehehhoka.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2760
        
        C:\Windows\SysWOW64\Ejcddjje.exe
        
        C:\Windows\system32\Ejcddjje.exe
        188⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\Eeihacjk.exe
        
        C:\Windows\system32\Eeihacjk.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Efjdikpi.exe
        
        C:\Windows\system32\Efjdikpi.exe
        190⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Eoamjiqk.exe
        
        C:\Windows\system32\Eoamjiqk.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Epciba32.exe
        
        C:\Windows\system32\Epciba32.exe
        192⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Ednebpob.exe
        
        C:\Windows\system32\Ednebpob.exe
        193⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Ekhmoj32.exe
        
        C:\Windows\system32\Ekhmoj32.exe
        194⤵
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Ffondk32.exe
        
        C:\Windows\system32\Ffondk32.exe
        195⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Finjqf32.exe
        
        C:\Windows\system32\Finjqf32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2836
        
        C:\Windows\SysWOW64\Fpgbmpbd.exe
        
        C:\Windows\system32\Fpgbmpbd.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2844
        
        C:\Windows\SysWOW64\Flncba32.exe
        
        C:\Windows\system32\Flncba32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2852
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        199⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Feidqf32.exe
        
        C:\Windows\system32\Feidqf32.exe
        200⤵
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\Foaiilcg.exe
        
        C:\Windows\system32\Foaiilcg.exe
        201⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Fapeegbj.exe
        
        C:\Windows\system32\Fapeegbj.exe
        202⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Gdnaacan.exe
        
        C:\Windows\system32\Gdnaacan.exe
        203⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Gkhjnmik.exe
        
        C:\Windows\system32\Gkhjnmik.exe
        204⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Ghljhagd.exe
        
        C:\Windows\system32\Ghljhagd.exe
        205⤵
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Gofbdk32.exe
        
        C:\Windows\system32\Gofbdk32.exe
        206⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ggagin32.exe
        
        C:\Windows\system32\Ggagin32.exe
        207⤵
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Gkmcil32.exe
        
        C:\Windows\system32\Gkmcil32.exe
        208⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Gnkoeh32.exe
        
        C:\Windows\system32\Gnkoeh32.exe
        209⤵
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Gpjkbc32.exe
        
        C:\Windows\system32\Gpjkbc32.exe
        210⤵
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Gjbpkiin.exe
        
        C:\Windows\system32\Gjbpkiin.exe
        211⤵
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Glqlgdha.exe
        
        C:\Windows\system32\Glqlgdha.exe
        212⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Gfiqpj32.exe
        
        C:\Windows\system32\Gfiqpj32.exe
        213⤵
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Gnpiqgpd.exe
        
        C:\Windows\system32\Gnpiqgpd.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Hoaeho32.exe
        
        C:\Windows\system32\Hoaeho32.exe
        215⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 140
        216⤵
        Program crash
        
        PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaghnnab.exe

Filesize
50KB

MD5
93e603cee04e37ebfc26190fdaad8baa

SHA1
53d615fcaca589ecb00b1d6b2a71c56268d4a281

SHA256
83f88443598062eb4bde04c36668219d5bc7a1d7d55e5d5c3ede0907173ef132

SHA512
4ea6cca446800a301450d76c130c7510a66750be18ac2ea9220836b79aad6ca26503dc293961c2b35913b046639f740215082a3c4df2110f064b9dfb12badf3e

Download Submit
C:\Windows\SysWOW64\Aaghnnab.exe

Filesize
50KB

MD5
93e603cee04e37ebfc26190fdaad8baa

SHA1
53d615fcaca589ecb00b1d6b2a71c56268d4a281

SHA256
83f88443598062eb4bde04c36668219d5bc7a1d7d55e5d5c3ede0907173ef132

SHA512
4ea6cca446800a301450d76c130c7510a66750be18ac2ea9220836b79aad6ca26503dc293961c2b35913b046639f740215082a3c4df2110f064b9dfb12badf3e

Download Submit
C:\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
C:\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
C:\Windows\SysWOW64\Akpmgc32.exe

Filesize
50KB

MD5
2288e777a39e18d2f09bbff676a8cf03

SHA1
dc0af4e74eda91735ac91e102d1c9b934e1a8f2a

SHA256
87fc894f0b0cb1b7b785319a2289f73437c703ea3d754afbcf45ab774057db4f

SHA512
84d205bcd9b7780ae407083c868d5927f9ce9cfb5042884306b22138eaa5b26a252a4307f88b9b0c7434a07ea559639e113ed0e2b5fda36ae2e58c51fc614c49

Download Submit
C:\Windows\SysWOW64\Akpmgc32.exe

Filesize
50KB

MD5
2288e777a39e18d2f09bbff676a8cf03

SHA1
dc0af4e74eda91735ac91e102d1c9b934e1a8f2a

SHA256
87fc894f0b0cb1b7b785319a2289f73437c703ea3d754afbcf45ab774057db4f

SHA512
84d205bcd9b7780ae407083c868d5927f9ce9cfb5042884306b22138eaa5b26a252a4307f88b9b0c7434a07ea559639e113ed0e2b5fda36ae2e58c51fc614c49

Download Submit
C:\Windows\SysWOW64\Apflff32.exe

Filesize
50KB

MD5
02b37556b0ba94b9336969005f68bf03

SHA1
ad667e5c93cac575967f1bd400666b579f2e2ba4

SHA256
4fad003370701156a0b25c1d3ce2369f3d1a71428742f1f309f20407ac554e90

SHA512
ea52a7e164dc2132d6ccdf171e9433aec04a4a3473e21dc32d9372c4ab55280efe5ea844e05aff29c62ca4fb8c84ea5e495fced9ec89dd548bcb3c171c7b1cce

Download Submit
C:\Windows\SysWOW64\Apflff32.exe

Filesize
50KB

MD5
02b37556b0ba94b9336969005f68bf03

SHA1
ad667e5c93cac575967f1bd400666b579f2e2ba4

SHA256
4fad003370701156a0b25c1d3ce2369f3d1a71428742f1f309f20407ac554e90

SHA512
ea52a7e164dc2132d6ccdf171e9433aec04a4a3473e21dc32d9372c4ab55280efe5ea844e05aff29c62ca4fb8c84ea5e495fced9ec89dd548bcb3c171c7b1cce

Download Submit
C:\Windows\SysWOW64\Olaqqe32.exe

Filesize
50KB

MD5
28294386a52ea5e927e81f2283650055

SHA1
04c574e56b2e39fbf5ba93b51742cf8646eefa17

SHA256
4bbedbbab897bb694cdabf8884d7cdb78f16c4b156af84b21f7c4a3680614e25

SHA512
a5fc8b56705982ec2cb1b6a58d34197261f1874d8f071164210ec45d2e56ef0bbff2d46f9a69fd19a4dbb08687ef10e2485ca6842521261719853e11a8f19928

Download Submit
C:\Windows\SysWOW64\Olaqqe32.exe

Filesize
50KB

MD5
28294386a52ea5e927e81f2283650055

SHA1
04c574e56b2e39fbf5ba93b51742cf8646eefa17

SHA256
4bbedbbab897bb694cdabf8884d7cdb78f16c4b156af84b21f7c4a3680614e25

SHA512
a5fc8b56705982ec2cb1b6a58d34197261f1874d8f071164210ec45d2e56ef0bbff2d46f9a69fd19a4dbb08687ef10e2485ca6842521261719853e11a8f19928

Download Submit
C:\Windows\SysWOW64\Opoigc32.exe

Filesize
50KB

MD5
feae58c2a5ed78d2c18ffd30792d3540

SHA1
9c0c7160dfb8dde0ff85b28bbbdea0016ed81440

SHA256
875b0541be9dc0c54704002f9f5e49c6f3276d2f4e01c01b8fc915e47d977153

SHA512
df77bdbaa1100c448c9862525efb6832650d2079e51b75ab020a4ebaf9980e3e1a50bbea7c5b067a0a2c6eff5d8277007058a77a1db9429e570a05a92f6da8d5

Download Submit
C:\Windows\SysWOW64\Opoigc32.exe

Filesize
50KB

MD5
feae58c2a5ed78d2c18ffd30792d3540

SHA1
9c0c7160dfb8dde0ff85b28bbbdea0016ed81440

SHA256
875b0541be9dc0c54704002f9f5e49c6f3276d2f4e01c01b8fc915e47d977153

SHA512
df77bdbaa1100c448c9862525efb6832650d2079e51b75ab020a4ebaf9980e3e1a50bbea7c5b067a0a2c6eff5d8277007058a77a1db9429e570a05a92f6da8d5

Download Submit
C:\Windows\SysWOW64\Pajidjld.exe

Filesize
50KB

MD5
048bd6f6949de9c5655c5571ab06ce2f

SHA1
6bb8c39916f60762ceaa924447f4b4a405271ab1

SHA256
82e36ae0bd46f77b3ec53aabeb10fb04e40b1276c288b3d1c4c4e6b8e7d06f3f

SHA512
4dd9295f91613cb15ebe9372ade3478adb3963be4041aadea706bb059a0fd0d5893f60ac3f26ac9b31438782ff820384b79fde8112cb4d17d4bd9ea3dc471657

Download Submit
C:\Windows\SysWOW64\Pajidjld.exe

Filesize
50KB

MD5
048bd6f6949de9c5655c5571ab06ce2f

SHA1
6bb8c39916f60762ceaa924447f4b4a405271ab1

SHA256
82e36ae0bd46f77b3ec53aabeb10fb04e40b1276c288b3d1c4c4e6b8e7d06f3f

SHA512
4dd9295f91613cb15ebe9372ade3478adb3963be4041aadea706bb059a0fd0d5893f60ac3f26ac9b31438782ff820384b79fde8112cb4d17d4bd9ea3dc471657

Download Submit
C:\Windows\SysWOW64\Phdaad32.exe

Filesize
50KB

MD5
42ca6cbd56fca239c18033bb54692e9d

SHA1
64575e3a38d1c19145817f9f22ae0c804d456f0c

SHA256
ed41989429d96c7a6beac882ac45100b420a5074899227fe16d00c382f3699db

SHA512
b94c229392ddc94c8cde50b1cdf2ed350f517e2dcae859f6db98f9e5d86c6c422f89d9a7c98d2adedec945e48cf45a97dac0d5b66f6f90e2f87e2a656526cd31

Download Submit
C:\Windows\SysWOW64\Phdaad32.exe

Filesize
50KB

MD5
42ca6cbd56fca239c18033bb54692e9d

SHA1
64575e3a38d1c19145817f9f22ae0c804d456f0c

SHA256
ed41989429d96c7a6beac882ac45100b420a5074899227fe16d00c382f3699db

SHA512
b94c229392ddc94c8cde50b1cdf2ed350f517e2dcae859f6db98f9e5d86c6c422f89d9a7c98d2adedec945e48cf45a97dac0d5b66f6f90e2f87e2a656526cd31

Download Submit
C:\Windows\SysWOW64\Phmkqeji.exe

Filesize
50KB

MD5
0b3eceea55edcaf427598d96832b943b

SHA1
7b2749b323b04f267c2ff7374ac76fc0d4e4682b

SHA256
da3c724b22e8dc7d4e7fa095fc0fb217d362bbfca5277ec64950dfe566460226

SHA512
ebfcf48f036b37768e5f8346039b26f6ba39d36ea03392a5863712926d7aa5d250d24b5adc48b78a6e015a46de3bfd7936eb45d303ef1f80cf4decf16837d629

Download Submit
C:\Windows\SysWOW64\Phmkqeji.exe

Filesize
50KB

MD5
0b3eceea55edcaf427598d96832b943b

SHA1
7b2749b323b04f267c2ff7374ac76fc0d4e4682b

SHA256
da3c724b22e8dc7d4e7fa095fc0fb217d362bbfca5277ec64950dfe566460226

SHA512
ebfcf48f036b37768e5f8346039b26f6ba39d36ea03392a5863712926d7aa5d250d24b5adc48b78a6e015a46de3bfd7936eb45d303ef1f80cf4decf16837d629

Download Submit
C:\Windows\SysWOW64\Plkcgd32.exe

Filesize
50KB

MD5
34e2ffa6b20bc9ef333ff767e10464dd

SHA1
19c7a95a271a7aec1dbecc0117e43c0bcd7902f5

SHA256
f24761fa991696f16df6e67b9042947f1d11e423e51a9f267f24c144d40fd0b9

SHA512
f9fdc18b7aad95b98a04f2df42834d3e5477c50bbd98a1a92ed85adac5949642fd7ae6734ea84bfb1f703322746fa5f122cbeee0990f37d8c08b0de29701a4a1

Download Submit
C:\Windows\SysWOW64\Plkcgd32.exe

Filesize
50KB

MD5
34e2ffa6b20bc9ef333ff767e10464dd

SHA1
19c7a95a271a7aec1dbecc0117e43c0bcd7902f5

SHA256
f24761fa991696f16df6e67b9042947f1d11e423e51a9f267f24c144d40fd0b9

SHA512
f9fdc18b7aad95b98a04f2df42834d3e5477c50bbd98a1a92ed85adac5949642fd7ae6734ea84bfb1f703322746fa5f122cbeee0990f37d8c08b0de29701a4a1

Download Submit
C:\Windows\SysWOW64\Pmlpnlfn.exe

Filesize
50KB

MD5
7853e7fb54c9dfd3fe52c535f35230fa

SHA1
d98b3b240acb0249b3d38fc5a0436dd8f5b87ebc

SHA256
f0423711d55f95577e348d7db2d7c572f8f079916eebb36ee7560317ce53badd

SHA512
8d8779e19bb7062c0aae87af3e4ff6c3a7852d73fc59265283b6596c64f735cd96f1b406d3727f2aead836af9f10bf796fc1a8a69d10526e45a41ddda0b62c62

Download Submit
C:\Windows\SysWOW64\Pmlpnlfn.exe

Filesize
50KB

MD5
7853e7fb54c9dfd3fe52c535f35230fa

SHA1
d98b3b240acb0249b3d38fc5a0436dd8f5b87ebc

SHA256
f0423711d55f95577e348d7db2d7c572f8f079916eebb36ee7560317ce53badd

SHA512
8d8779e19bb7062c0aae87af3e4ff6c3a7852d73fc59265283b6596c64f735cd96f1b406d3727f2aead836af9f10bf796fc1a8a69d10526e45a41ddda0b62c62

Download Submit
C:\Windows\SysWOW64\Pmqiik32.exe

Filesize
50KB

MD5
01502864237abffd0dff967f8c734cd8

SHA1
b79f26a2de682ee48eaeb66bb7138b44af92b0c7

SHA256
e836d94847757e7338da6fafa45cc65845245492401ff52a3ddcc6e2764232a6

SHA512
15df89fc7bf082dbe4e2981074b11d4ca79240619a85515fe4aed007118893adcd222b097e859a3ee297dc4667853b534896cf3562a4ad83fb6684e4db2a920a

Download Submit
C:\Windows\SysWOW64\Pmqiik32.exe

Filesize
50KB

MD5
01502864237abffd0dff967f8c734cd8

SHA1
b79f26a2de682ee48eaeb66bb7138b44af92b0c7

SHA256
e836d94847757e7338da6fafa45cc65845245492401ff52a3ddcc6e2764232a6

SHA512
15df89fc7bf082dbe4e2981074b11d4ca79240619a85515fe4aed007118893adcd222b097e859a3ee297dc4667853b534896cf3562a4ad83fb6684e4db2a920a

Download Submit
C:\Windows\SysWOW64\Ppaflc32.exe

Filesize
50KB

MD5
a3c56678f290f102f291a78947c5f610

SHA1
82adf0bbe106b6a91d748aeae8ef4c3760b92827

SHA256
f3cfc414a1ed5483b6c59537e0e54864d5d154d71a0a306284949d6ecd1db0b1

SHA512
14f1b24011f5ae28313fd79c8946a8cc6a5b1687d8a5c6cfd80ad79391ca2ca6c7690ebff66c598bf50858ecf4c5f74f9f8257e7b27e474617140044e662b043

Download Submit
C:\Windows\SysWOW64\Ppaflc32.exe

Filesize
50KB

MD5
a3c56678f290f102f291a78947c5f610

SHA1
82adf0bbe106b6a91d748aeae8ef4c3760b92827

SHA256
f3cfc414a1ed5483b6c59537e0e54864d5d154d71a0a306284949d6ecd1db0b1

SHA512
14f1b24011f5ae28313fd79c8946a8cc6a5b1687d8a5c6cfd80ad79391ca2ca6c7690ebff66c598bf50858ecf4c5f74f9f8257e7b27e474617140044e662b043

Download Submit
C:\Windows\SysWOW64\Qcbkmalj.exe

Filesize
50KB

MD5
cf6410b17e5a03852ad5b8e26975a87d

SHA1
448c913dda5e31ed33a9f09c647ffb5d533b70be

SHA256
2d891f96cb2e0fc4964644d2598367c0b7bbe1b30f2ff5fc9d8b3e4aeebc33a5

SHA512
6d717bf14c0a2c5f2dd52b3ce7d126203cdc42958dbe184a72f5101d5e8426387f2eab44c35dee87efd4e2abab217efddd3dc53a8f93abf9274da4624e78a7de

Download Submit
C:\Windows\SysWOW64\Qcbkmalj.exe

Filesize
50KB

MD5
cf6410b17e5a03852ad5b8e26975a87d

SHA1
448c913dda5e31ed33a9f09c647ffb5d533b70be

SHA256
2d891f96cb2e0fc4964644d2598367c0b7bbe1b30f2ff5fc9d8b3e4aeebc33a5

SHA512
6d717bf14c0a2c5f2dd52b3ce7d126203cdc42958dbe184a72f5101d5e8426387f2eab44c35dee87efd4e2abab217efddd3dc53a8f93abf9274da4624e78a7de

Download Submit
C:\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
5cc62d7b6469cfdf5e853de4ca4ac711

SHA1
aac154b7b2b077140a85732c729d938456a7a7f7

SHA256
d50e2dddff41b78178567df1304ec269bcef58f45cfb06a9e24b7fa64e9da991

SHA512
1439dac4b81e32aa596d0b13975c37d3949e39665acaae02c1b41a4f3ba50a6c6d91c4b6f7f2a5d4a5ce0a5494d1bff0d3d3d2046884f56d679a1a08732c18a9

Download Submit
C:\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
5cc62d7b6469cfdf5e853de4ca4ac711

SHA1
aac154b7b2b077140a85732c729d938456a7a7f7

SHA256
d50e2dddff41b78178567df1304ec269bcef58f45cfb06a9e24b7fa64e9da991

SHA512
1439dac4b81e32aa596d0b13975c37d3949e39665acaae02c1b41a4f3ba50a6c6d91c4b6f7f2a5d4a5ce0a5494d1bff0d3d3d2046884f56d679a1a08732c18a9

Download Submit
C:\Windows\SysWOW64\Qigjol32.exe

Filesize
50KB

MD5
4477b6c96f9ccc12f529fc04809ee3d0

SHA1
9a80f2c13d1dcfc327e47f59f7e73d580b24017d

SHA256
146542065d1b3a73fe1a37b49d400c413fcaa49cfa92de73396d0c5d409d1ec5

SHA512
704d0e6ba717c122bd0ebadc1f98263e1211fbe65459ca7c0de3fc1bf3edb30d6fae675790b49ecaac371dac3a83a3d6fec7d8cda46e7d30b54a5a2c166313c0

Download Submit
C:\Windows\SysWOW64\Qigjol32.exe

Filesize
50KB

MD5
4477b6c96f9ccc12f529fc04809ee3d0

SHA1
9a80f2c13d1dcfc327e47f59f7e73d580b24017d

SHA256
146542065d1b3a73fe1a37b49d400c413fcaa49cfa92de73396d0c5d409d1ec5

SHA512
704d0e6ba717c122bd0ebadc1f98263e1211fbe65459ca7c0de3fc1bf3edb30d6fae675790b49ecaac371dac3a83a3d6fec7d8cda46e7d30b54a5a2c166313c0

Download Submit
\Windows\SysWOW64\Aaghnnab.exe

Filesize
50KB

MD5
93e603cee04e37ebfc26190fdaad8baa

SHA1
53d615fcaca589ecb00b1d6b2a71c56268d4a281

SHA256
83f88443598062eb4bde04c36668219d5bc7a1d7d55e5d5c3ede0907173ef132

SHA512
4ea6cca446800a301450d76c130c7510a66750be18ac2ea9220836b79aad6ca26503dc293961c2b35913b046639f740215082a3c4df2110f064b9dfb12badf3e

Download Submit
\Windows\SysWOW64\Aaghnnab.exe

Filesize
50KB

MD5
93e603cee04e37ebfc26190fdaad8baa

SHA1
53d615fcaca589ecb00b1d6b2a71c56268d4a281

SHA256
83f88443598062eb4bde04c36668219d5bc7a1d7d55e5d5c3ede0907173ef132

SHA512
4ea6cca446800a301450d76c130c7510a66750be18ac2ea9220836b79aad6ca26503dc293961c2b35913b046639f740215082a3c4df2110f064b9dfb12badf3e

Download Submit
\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
\Windows\SysWOW64\Acgeha32.exe

Filesize
50KB

MD5
6289184397b3018c5daaac357937629f

SHA1
8f62231341f9e8ca7e2257b27db992de327e6ba9

SHA256
1cd233e9e7ad3c17d07c75a6c45b5effbe8eded4dc3ae76970f66be4ef3a3581

SHA512
147f54aaddbd05e188deaba82afd3e8228be4b0eebce0b1f1c4a24770f505f077e27da9de71ae2a2133311739efe23642a167731cff70fa3de3e72457ce6e8d2

Download Submit
\Windows\SysWOW64\Akpmgc32.exe

Filesize
50KB

MD5
2288e777a39e18d2f09bbff676a8cf03

SHA1
dc0af4e74eda91735ac91e102d1c9b934e1a8f2a

SHA256
87fc894f0b0cb1b7b785319a2289f73437c703ea3d754afbcf45ab774057db4f

SHA512
84d205bcd9b7780ae407083c868d5927f9ce9cfb5042884306b22138eaa5b26a252a4307f88b9b0c7434a07ea559639e113ed0e2b5fda36ae2e58c51fc614c49

Download Submit
\Windows\SysWOW64\Akpmgc32.exe

Filesize
50KB

MD5
2288e777a39e18d2f09bbff676a8cf03

SHA1
dc0af4e74eda91735ac91e102d1c9b934e1a8f2a

SHA256
87fc894f0b0cb1b7b785319a2289f73437c703ea3d754afbcf45ab774057db4f

SHA512
84d205bcd9b7780ae407083c868d5927f9ce9cfb5042884306b22138eaa5b26a252a4307f88b9b0c7434a07ea559639e113ed0e2b5fda36ae2e58c51fc614c49

Download Submit
\Windows\SysWOW64\Apflff32.exe

Filesize
50KB

MD5
02b37556b0ba94b9336969005f68bf03

SHA1
ad667e5c93cac575967f1bd400666b579f2e2ba4

SHA256
4fad003370701156a0b25c1d3ce2369f3d1a71428742f1f309f20407ac554e90

SHA512
ea52a7e164dc2132d6ccdf171e9433aec04a4a3473e21dc32d9372c4ab55280efe5ea844e05aff29c62ca4fb8c84ea5e495fced9ec89dd548bcb3c171c7b1cce

Download Submit
\Windows\SysWOW64\Apflff32.exe

Filesize
50KB

MD5
02b37556b0ba94b9336969005f68bf03

SHA1
ad667e5c93cac575967f1bd400666b579f2e2ba4

SHA256
4fad003370701156a0b25c1d3ce2369f3d1a71428742f1f309f20407ac554e90

SHA512
ea52a7e164dc2132d6ccdf171e9433aec04a4a3473e21dc32d9372c4ab55280efe5ea844e05aff29c62ca4fb8c84ea5e495fced9ec89dd548bcb3c171c7b1cce

Download Submit
\Windows\SysWOW64\Olaqqe32.exe

Filesize
50KB

MD5
28294386a52ea5e927e81f2283650055

SHA1
04c574e56b2e39fbf5ba93b51742cf8646eefa17

SHA256
4bbedbbab897bb694cdabf8884d7cdb78f16c4b156af84b21f7c4a3680614e25

SHA512
a5fc8b56705982ec2cb1b6a58d34197261f1874d8f071164210ec45d2e56ef0bbff2d46f9a69fd19a4dbb08687ef10e2485ca6842521261719853e11a8f19928

Download Submit
\Windows\SysWOW64\Olaqqe32.exe

Filesize
50KB

MD5
28294386a52ea5e927e81f2283650055

SHA1
04c574e56b2e39fbf5ba93b51742cf8646eefa17

SHA256
4bbedbbab897bb694cdabf8884d7cdb78f16c4b156af84b21f7c4a3680614e25

SHA512
a5fc8b56705982ec2cb1b6a58d34197261f1874d8f071164210ec45d2e56ef0bbff2d46f9a69fd19a4dbb08687ef10e2485ca6842521261719853e11a8f19928

Download Submit
\Windows\SysWOW64\Opoigc32.exe

Filesize
50KB

MD5
feae58c2a5ed78d2c18ffd30792d3540

SHA1
9c0c7160dfb8dde0ff85b28bbbdea0016ed81440

SHA256
875b0541be9dc0c54704002f9f5e49c6f3276d2f4e01c01b8fc915e47d977153

SHA512
df77bdbaa1100c448c9862525efb6832650d2079e51b75ab020a4ebaf9980e3e1a50bbea7c5b067a0a2c6eff5d8277007058a77a1db9429e570a05a92f6da8d5

Download Submit
\Windows\SysWOW64\Opoigc32.exe

Filesize
50KB

MD5
feae58c2a5ed78d2c18ffd30792d3540

SHA1
9c0c7160dfb8dde0ff85b28bbbdea0016ed81440

SHA256
875b0541be9dc0c54704002f9f5e49c6f3276d2f4e01c01b8fc915e47d977153

SHA512
df77bdbaa1100c448c9862525efb6832650d2079e51b75ab020a4ebaf9980e3e1a50bbea7c5b067a0a2c6eff5d8277007058a77a1db9429e570a05a92f6da8d5

Download Submit
\Windows\SysWOW64\Pajidjld.exe

Filesize
50KB

MD5
048bd6f6949de9c5655c5571ab06ce2f

SHA1
6bb8c39916f60762ceaa924447f4b4a405271ab1

SHA256
82e36ae0bd46f77b3ec53aabeb10fb04e40b1276c288b3d1c4c4e6b8e7d06f3f

SHA512
4dd9295f91613cb15ebe9372ade3478adb3963be4041aadea706bb059a0fd0d5893f60ac3f26ac9b31438782ff820384b79fde8112cb4d17d4bd9ea3dc471657

Download Submit
\Windows\SysWOW64\Pajidjld.exe

Filesize
50KB

MD5
048bd6f6949de9c5655c5571ab06ce2f

SHA1
6bb8c39916f60762ceaa924447f4b4a405271ab1

SHA256
82e36ae0bd46f77b3ec53aabeb10fb04e40b1276c288b3d1c4c4e6b8e7d06f3f

SHA512
4dd9295f91613cb15ebe9372ade3478adb3963be4041aadea706bb059a0fd0d5893f60ac3f26ac9b31438782ff820384b79fde8112cb4d17d4bd9ea3dc471657

Download Submit
\Windows\SysWOW64\Phdaad32.exe

Filesize
50KB

MD5
42ca6cbd56fca239c18033bb54692e9d

SHA1
64575e3a38d1c19145817f9f22ae0c804d456f0c

SHA256
ed41989429d96c7a6beac882ac45100b420a5074899227fe16d00c382f3699db

SHA512
b94c229392ddc94c8cde50b1cdf2ed350f517e2dcae859f6db98f9e5d86c6c422f89d9a7c98d2adedec945e48cf45a97dac0d5b66f6f90e2f87e2a656526cd31

Download Submit
\Windows\SysWOW64\Phdaad32.exe

Filesize
50KB

MD5
42ca6cbd56fca239c18033bb54692e9d

SHA1
64575e3a38d1c19145817f9f22ae0c804d456f0c

SHA256
ed41989429d96c7a6beac882ac45100b420a5074899227fe16d00c382f3699db

SHA512
b94c229392ddc94c8cde50b1cdf2ed350f517e2dcae859f6db98f9e5d86c6c422f89d9a7c98d2adedec945e48cf45a97dac0d5b66f6f90e2f87e2a656526cd31

Download Submit
\Windows\SysWOW64\Phmkqeji.exe

Filesize
50KB

MD5
0b3eceea55edcaf427598d96832b943b

SHA1
7b2749b323b04f267c2ff7374ac76fc0d4e4682b

SHA256
da3c724b22e8dc7d4e7fa095fc0fb217d362bbfca5277ec64950dfe566460226

SHA512
ebfcf48f036b37768e5f8346039b26f6ba39d36ea03392a5863712926d7aa5d250d24b5adc48b78a6e015a46de3bfd7936eb45d303ef1f80cf4decf16837d629

Download Submit
\Windows\SysWOW64\Phmkqeji.exe

Filesize
50KB

MD5
0b3eceea55edcaf427598d96832b943b

SHA1
7b2749b323b04f267c2ff7374ac76fc0d4e4682b

SHA256
da3c724b22e8dc7d4e7fa095fc0fb217d362bbfca5277ec64950dfe566460226

SHA512
ebfcf48f036b37768e5f8346039b26f6ba39d36ea03392a5863712926d7aa5d250d24b5adc48b78a6e015a46de3bfd7936eb45d303ef1f80cf4decf16837d629

Download Submit
\Windows\SysWOW64\Plkcgd32.exe

Filesize
50KB

MD5
34e2ffa6b20bc9ef333ff767e10464dd

SHA1
19c7a95a271a7aec1dbecc0117e43c0bcd7902f5

SHA256
f24761fa991696f16df6e67b9042947f1d11e423e51a9f267f24c144d40fd0b9

SHA512
f9fdc18b7aad95b98a04f2df42834d3e5477c50bbd98a1a92ed85adac5949642fd7ae6734ea84bfb1f703322746fa5f122cbeee0990f37d8c08b0de29701a4a1

Download Submit
\Windows\SysWOW64\Plkcgd32.exe

Filesize
50KB

MD5
34e2ffa6b20bc9ef333ff767e10464dd

SHA1
19c7a95a271a7aec1dbecc0117e43c0bcd7902f5

SHA256
f24761fa991696f16df6e67b9042947f1d11e423e51a9f267f24c144d40fd0b9

SHA512
f9fdc18b7aad95b98a04f2df42834d3e5477c50bbd98a1a92ed85adac5949642fd7ae6734ea84bfb1f703322746fa5f122cbeee0990f37d8c08b0de29701a4a1

Download Submit
\Windows\SysWOW64\Pmlpnlfn.exe

Filesize
50KB

MD5
7853e7fb54c9dfd3fe52c535f35230fa

SHA1
d98b3b240acb0249b3d38fc5a0436dd8f5b87ebc

SHA256
f0423711d55f95577e348d7db2d7c572f8f079916eebb36ee7560317ce53badd

SHA512
8d8779e19bb7062c0aae87af3e4ff6c3a7852d73fc59265283b6596c64f735cd96f1b406d3727f2aead836af9f10bf796fc1a8a69d10526e45a41ddda0b62c62

Download Submit
\Windows\SysWOW64\Pmlpnlfn.exe

Filesize
50KB

MD5
7853e7fb54c9dfd3fe52c535f35230fa

SHA1
d98b3b240acb0249b3d38fc5a0436dd8f5b87ebc

SHA256
f0423711d55f95577e348d7db2d7c572f8f079916eebb36ee7560317ce53badd

SHA512
8d8779e19bb7062c0aae87af3e4ff6c3a7852d73fc59265283b6596c64f735cd96f1b406d3727f2aead836af9f10bf796fc1a8a69d10526e45a41ddda0b62c62

Download Submit
\Windows\SysWOW64\Pmqiik32.exe

Filesize
50KB

MD5
01502864237abffd0dff967f8c734cd8

SHA1
b79f26a2de682ee48eaeb66bb7138b44af92b0c7

SHA256
e836d94847757e7338da6fafa45cc65845245492401ff52a3ddcc6e2764232a6

SHA512
15df89fc7bf082dbe4e2981074b11d4ca79240619a85515fe4aed007118893adcd222b097e859a3ee297dc4667853b534896cf3562a4ad83fb6684e4db2a920a

Download Submit
\Windows\SysWOW64\Pmqiik32.exe

Filesize
50KB

MD5
01502864237abffd0dff967f8c734cd8

SHA1
b79f26a2de682ee48eaeb66bb7138b44af92b0c7

SHA256
e836d94847757e7338da6fafa45cc65845245492401ff52a3ddcc6e2764232a6

SHA512
15df89fc7bf082dbe4e2981074b11d4ca79240619a85515fe4aed007118893adcd222b097e859a3ee297dc4667853b534896cf3562a4ad83fb6684e4db2a920a

Download Submit
\Windows\SysWOW64\Ppaflc32.exe

Filesize
50KB

MD5
a3c56678f290f102f291a78947c5f610

SHA1
82adf0bbe106b6a91d748aeae8ef4c3760b92827

SHA256
f3cfc414a1ed5483b6c59537e0e54864d5d154d71a0a306284949d6ecd1db0b1

SHA512
14f1b24011f5ae28313fd79c8946a8cc6a5b1687d8a5c6cfd80ad79391ca2ca6c7690ebff66c598bf50858ecf4c5f74f9f8257e7b27e474617140044e662b043

Download Submit
\Windows\SysWOW64\Ppaflc32.exe

Filesize
50KB

MD5
a3c56678f290f102f291a78947c5f610

SHA1
82adf0bbe106b6a91d748aeae8ef4c3760b92827

SHA256
f3cfc414a1ed5483b6c59537e0e54864d5d154d71a0a306284949d6ecd1db0b1

SHA512
14f1b24011f5ae28313fd79c8946a8cc6a5b1687d8a5c6cfd80ad79391ca2ca6c7690ebff66c598bf50858ecf4c5f74f9f8257e7b27e474617140044e662b043

Download Submit
\Windows\SysWOW64\Qcbkmalj.exe

Filesize
50KB

MD5
cf6410b17e5a03852ad5b8e26975a87d

SHA1
448c913dda5e31ed33a9f09c647ffb5d533b70be

SHA256
2d891f96cb2e0fc4964644d2598367c0b7bbe1b30f2ff5fc9d8b3e4aeebc33a5

SHA512
6d717bf14c0a2c5f2dd52b3ce7d126203cdc42958dbe184a72f5101d5e8426387f2eab44c35dee87efd4e2abab217efddd3dc53a8f93abf9274da4624e78a7de

Download Submit
\Windows\SysWOW64\Qcbkmalj.exe

Filesize
50KB

MD5
cf6410b17e5a03852ad5b8e26975a87d

SHA1
448c913dda5e31ed33a9f09c647ffb5d533b70be

SHA256
2d891f96cb2e0fc4964644d2598367c0b7bbe1b30f2ff5fc9d8b3e4aeebc33a5

SHA512
6d717bf14c0a2c5f2dd52b3ce7d126203cdc42958dbe184a72f5101d5e8426387f2eab44c35dee87efd4e2abab217efddd3dc53a8f93abf9274da4624e78a7de

Download Submit
\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
5cc62d7b6469cfdf5e853de4ca4ac711

SHA1
aac154b7b2b077140a85732c729d938456a7a7f7

SHA256
d50e2dddff41b78178567df1304ec269bcef58f45cfb06a9e24b7fa64e9da991

SHA512
1439dac4b81e32aa596d0b13975c37d3949e39665acaae02c1b41a4f3ba50a6c6d91c4b6f7f2a5d4a5ce0a5494d1bff0d3d3d2046884f56d679a1a08732c18a9

Download Submit
\Windows\SysWOW64\Qenkcmma.exe

Filesize
50KB

MD5
5cc62d7b6469cfdf5e853de4ca4ac711

SHA1
aac154b7b2b077140a85732c729d938456a7a7f7

SHA256
d50e2dddff41b78178567df1304ec269bcef58f45cfb06a9e24b7fa64e9da991

SHA512
1439dac4b81e32aa596d0b13975c37d3949e39665acaae02c1b41a4f3ba50a6c6d91c4b6f7f2a5d4a5ce0a5494d1bff0d3d3d2046884f56d679a1a08732c18a9

Download Submit
\Windows\SysWOW64\Qigjol32.exe

Filesize
50KB

MD5
4477b6c96f9ccc12f529fc04809ee3d0

SHA1
9a80f2c13d1dcfc327e47f59f7e73d580b24017d

SHA256
146542065d1b3a73fe1a37b49d400c413fcaa49cfa92de73396d0c5d409d1ec5

SHA512
704d0e6ba717c122bd0ebadc1f98263e1211fbe65459ca7c0de3fc1bf3edb30d6fae675790b49ecaac371dac3a83a3d6fec7d8cda46e7d30b54a5a2c166313c0

Download Submit
\Windows\SysWOW64\Qigjol32.exe

Filesize
50KB

MD5
4477b6c96f9ccc12f529fc04809ee3d0

SHA1
9a80f2c13d1dcfc327e47f59f7e73d580b24017d

SHA256
146542065d1b3a73fe1a37b49d400c413fcaa49cfa92de73396d0c5d409d1ec5

SHA512
704d0e6ba717c122bd0ebadc1f98263e1211fbe65459ca7c0de3fc1bf3edb30d6fae675790b49ecaac371dac3a83a3d6fec7d8cda46e7d30b54a5a2c166313c0

Download Submit
memory/276-166-0x0000000000000000-mapping.dmp

Download
memory/276-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/276-210-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/304-259-0x0000000000000000-mapping.dmp

Download
memory/524-267-0x0000000000000000-mapping.dmp

Download
memory/556-116-0x0000000000000000-mapping.dmp

Download
memory/556-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/580-273-0x0000000000000000-mapping.dmp

Download
memory/592-218-0x0000000001B60000-0x0000000001B91000-memory.dmp

Filesize
196KB

Download
memory/592-169-0x0000000000000000-mapping.dmp

Download
memory/592-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/688-271-0x0000000000000000-mapping.dmp

Download
memory/792-222-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/792-171-0x0000000000000000-mapping.dmp

Download
memory/792-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/840-147-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/840-101-0x0000000000000000-mapping.dmp

Download
memory/864-177-0x0000000000000000-mapping.dmp

Download
memory/868-223-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/868-224-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/868-225-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/868-172-0x0000000000000000-mapping.dmp

Download
memory/872-194-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/872-159-0x0000000000000000-mapping.dmp

Download
memory/872-193-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/912-91-0x0000000000000000-mapping.dmp

Download
memory/912-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/916-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/916-56-0x0000000000000000-mapping.dmp

Download
memory/928-191-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/928-157-0x0000000000000000-mapping.dmp

Download
memory/940-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/940-156-0x0000000000000000-mapping.dmp

Download
memory/956-179-0x0000000000000000-mapping.dmp

Download
memory/968-185-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/968-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/968-131-0x0000000000000000-mapping.dmp

Download
memory/976-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/976-66-0x0000000000000000-mapping.dmp

Download
memory/980-150-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/980-111-0x0000000000000000-mapping.dmp

Download
memory/988-261-0x0000000000000000-mapping.dmp

Download
memory/992-86-0x0000000000000000-mapping.dmp

Download
memory/992-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1004-145-0x0000000000000000-mapping.dmp

Download
memory/1004-187-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1052-106-0x0000000000000000-mapping.dmp

Download
memory/1052-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1060-176-0x0000000000000000-mapping.dmp

Download
memory/1096-272-0x0000000000000000-mapping.dmp

Download
memory/1116-184-0x0000000000000000-mapping.dmp

Download
memory/1124-121-0x0000000000000000-mapping.dmp

Download
memory/1124-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1128-266-0x0000000000000000-mapping.dmp

Download
memory/1164-220-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1164-170-0x0000000000000000-mapping.dmp

Download
memory/1164-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1256-180-0x0000000000000000-mapping.dmp

Download
memory/1260-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1260-81-0x0000000000000000-mapping.dmp

Download
memory/1288-188-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1288-148-0x0000000000000000-mapping.dmp

Download
memory/1308-228-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1308-174-0x0000000000000000-mapping.dmp

Download
memory/1308-229-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1308-230-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1324-167-0x0000000000000000-mapping.dmp

Download
memory/1324-212-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1324-213-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1324-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1332-173-0x0000000000000000-mapping.dmp

Download
memory/1332-227-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1332-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1352-61-0x0000000000000000-mapping.dmp

Download
memory/1352-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1384-96-0x0000000000000000-mapping.dmp

Download
memory/1384-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1456-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1456-165-0x0000000000000000-mapping.dmp

Download
memory/1456-208-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/1508-254-0x0000000000000000-mapping.dmp

Download
memory/1520-274-0x0000000000000000-mapping.dmp

Download
memory/1528-269-0x0000000000000000-mapping.dmp

Download
memory/1552-260-0x0000000000000000-mapping.dmp

Download
memory/1568-181-0x0000000000000000-mapping.dmp

Download
memory/1588-204-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1588-203-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1588-202-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1588-163-0x0000000000000000-mapping.dmp

Download
memory/1608-182-0x0000000000000000-mapping.dmp

Download
memory/1612-253-0x0000000000000000-mapping.dmp

Download
memory/1620-252-0x0000000000000000-mapping.dmp

Download
memory/1644-126-0x0000000000000000-mapping.dmp

Download
memory/1644-153-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1648-162-0x0000000000000000-mapping.dmp

Download
memory/1648-201-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1648-200-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1648-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1656-140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1656-71-0x0000000000000000-mapping.dmp

Download
memory/1664-76-0x0000000000000000-mapping.dmp

Download
memory/1664-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1672-270-0x0000000000000000-mapping.dmp

Download
memory/1692-196-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/1692-160-0x0000000000000000-mapping.dmp

Download
memory/1692-195-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1700-183-0x0000000000000000-mapping.dmp

Download
memory/1704-161-0x0000000000000000-mapping.dmp

Download
memory/1704-198-0x00000000003C0000-0x00000000003F1000-memory.dmp

Filesize
196KB

Download
memory/1704-197-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1712-206-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1712-164-0x0000000000000000-mapping.dmp

Download
memory/1712-205-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-192-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1740-158-0x0000000000000000-mapping.dmp

Download
memory/1800-268-0x0000000000000000-mapping.dmp

Download
memory/1808-175-0x0000000000000000-mapping.dmp

Download
memory/1816-189-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1816-155-0x0000000000000000-mapping.dmp

Download
memory/1864-168-0x0000000000000000-mapping.dmp

Download
memory/1864-214-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1864-215-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1864-216-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1956-178-0x0000000000000000-mapping.dmp

Download
memory/1984-136-0x0000000000000000-mapping.dmp

Download
memory/1984-186-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2016-135-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2016-134-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download